.Dd May 12, 2007.Dt ewfacquirestream.Os libewf.Sh NAME.Nm ewfacquirestream.Nd acquires data in the EWF format from stdin.Sh SYNOPSIS.Nm ewfacquirestream.Op Fl b Ar amount_of_sectors.Op Fl c Ar compression_type.Op Fl C Ar case_number.Op Fl d Ar digest_type.Op Fl D Ar description.Op Fl e Ar examiner_name.Op Fl E Ar evidence_number.Op Fl f Ar format.Op Fl m Ar media_type.Op Fl M Ar volume_type.Op Fl N Ar notes.Op Fl S Ar segment_file_size.Op Fl t Ar target.Op Fl -hsvV.Sh DESCRIPTION.Nm ewfacquirestreamis a utility to acquire media data from stdinand store it in EWF format (Expert Witness Format)..Nm ewfacquirestreamacquires media data in a format equivalent to EnCase and FTK imager, including meta data.Under Linux, FreeBSD, NetBSD, OpenBSD, MacOS\-X/Darwin.Pp.Nm ewfacquirestreamis part of the.Nm libewfpackage..Nm libewfis a library to support the Expert Witness Compression Format (EWF)..Nm libewfsupports both the SMART format (EWF-S01) and the EnCase format (EWF-E01)..Nm libewfcurrently does not support the Logical Volume format (EWF-L01).EWF-X is an expirimental format intended for testing purposes to enhance the EWF format..Nm libewfallows you to read and write media data in the EWF format..PpThe options are as follows:.Bl -tag -width Ds.It Fl b Ar amount_of_sectorsthe amount of sectors to read at once (per chunk), options: 64 (default), 128, 256, 512, 1024, 2048, 4096, 8192, 16384 or 32768.It Fl c Ar compression_typethe compression type, options: none (is default), empty_block, fast, best.It Fl C Ar case_numberthe case number (default is case_number).It Fl d Ar digest_typecalculate additional digest (hash) types besides md5, options: sha1.It Fl D Ar descriptionthe description (default is description).It Fl e Ar examiner_namethe examiner name (default is examiner_name).It Fl E Ar evidence_numberthe evidence number (default is evidence_number).It Fl f Ar formatthe EWF file format to write to, options: ftk, encase2, encase3, encase4, encase5 (is default), encase6, linen5, linen6, ewfx..Nm libewfdoes not support streamed writes for other EWF formats..It Fl hshows this help.It Fl m Ar media_typethe media type, options: fixed (is default), removable.It Fl M Ar volume_typethe volume type, options: logical (is default), physical.It Fl N Ar notesthe notes (default is notes).It Fl sswap byte pairs of the media data (from AB to BA)(use this for big to little endian conversion and vice versa).It Fl S Ar segment_file_sizethe segment file size in kbytes (2^10) (default is 665600).It Fl t Ar targetthe target file (without extension) to write to (default is stream).It Fl vverbose output to stderr.It Fl Vprint version.El.Pp.Nm ewfacquirestreamwill read from stding until it encounters a read error.On read error it will stop no error information is stored in the EWF file(s)..PpEmpty block compression detects blocks of sectors with entirely the same byte data and compresses them using the default compression level..Sh ENVIRONMENTNone.Sh FILESNone.Sh EXAMPLES.Bd -literal# ewfacquirestream -C 1 -D Floppy -E 1.1 -e 'John D.' -N 'Just a floppy in my system' -m removable -M physical -t floppy </dev/fd0ewfacquirestream 20070512 (libewf 20070512, zlib 1.2.3, libcrypto 0.9.8, libuuid)Using the following acquiry parameters:Image path and filename:        floppy.E01Case number:                    1Description:                    FloppyEvidence number:                1.1Examiner name:                  John D.Notes:                          Just a floppy in my systemMedia type:                     removableVolume type:                    physicalCompression used:               noneCompress empty blocks:          noEWF file format:                EnCase 5Acquiry start offet:            0Amount of bytes to acquire:     0 (until end of input)Evidence segment file size:     665600 kbytesBlock size:                     64 sectorsError granularity:              64 sectorsRetries on read error:          2Wipe sectors on read error:     noAcquiry started at: Sat May 12 11:32:41 2007This could take a while.Acquiry completed at: Sat May 12 11:32:42 2007Written: 1.4 MB (1474560 bytes) in 1 second(s) with 1 MB/s (1474560 bytes/second).MD5 hash calculated over data: ae1ce8f5ac079d3ee93f97fe3792bda3.Ed.Sh DIAGNOSTICSErrors, verbose and debug output are printed to stderr when verbose output \-v is enabled.Verbose and debug output are only printed when enabled at compilation..Sh BUGSPlease report bugs of any kind to <forensics@hoffmannbv.nl> or on the project website:https://libewf.uitwisselplatform.nl/.Sh AUTHORThese man pages were written by Joachim Metz..Sh COPYRIGHTCopyright 2006-2007 Joachim Metz, Hoffmann Investigations <forensics@hoffmannbv.nl> and contributors.This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE..Sh SEE ALSO.Xr ewfacquire 1 ,.Xr ewfexport 1 ,.Xr ewfinfo 1 ,.Xr ewfverify 1